[squid-users] Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

Amos Jeffries squid3 at treenet.co.nz
Sat Dec 1 11:11:53 UTC 2018

On 1/12/18 3:43 am, Ahmad, Sarfaraz wrote:
> I think almost every time squid opens a TCP connection, It also tried to
> open a raw socket of type AF_NETLINK. Syscall pasted below.
> Any thoughts ?

* To receive NAT intercepted connections Squid needs access to the
system NAT table to identify what origin server the client was actually
trying to get to before it was diverted into Squid.

* To send traffic with TPROXY interception Squid must setup the socket
for sending the spoofed IP addresses.

* To perform Netfilter MARK operations (both fetch and set) Squid uses
Netfilter Conntrack APIs.

* To fetch EUI information about connections received or sent after they
are open via POSIX getsockopt() or BSD ioctl() APIs. This is optional
and on by default (eui_lookup to configure)

Any of those may be defined by your system Netfilter libraries in terms
of AF_NETLINK traffic in the background. If they are doing things like
that then the ICMP sockets and (less likely) UDS sockets may also be

If the behaviour is as repeatable as you say you can use a ALL,9 level
cache .log trace to see what exactly Squid is trying to do at the time
it happens.


More information about the squid-users mailing list